You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Matt Kettler <mk...@evi-inc.com> on 2005/05/12 01:52:06 UTC
New variant of rot-13 trick.
A long time ago, I noticed spammers were including rot-13 encodings of
email addresses in message bodies.
Things like this:
zxrggyre^riv-vap(pbz
Which decodes to:
mkettler^evi-inc(com
Why exactly ^ replaces @ and ( replaces . was never really clear, but
this provided a really nice spam sign, and became the basis of SA's
EMAIL_ROT13 rule, which looks for the characteristic pattern involving (
and ^.
apparently someone's already modified their tactics for this.
I found a spam with this IMG tag in it (note: email addresses other than
mine replaced with xxxxxxxxx to protect my users)
IMG
SRC="http://www.pics-4-showMUNGED.com/1.gif?zxrggyre()riv-vap^Hpbz^Sxxxxxxxxxx()riv-vap^Hpbz^Sxxxxxxxxxx()riv-vap^Hpbz^S^S"
It's the same basic trick, but now it's being used as a parameter to a
web bug. They've modified it slightly so the @ is replaced by () and the
is replaced by ^H, but it's much the same.
Just wanted to let people know the signature has mutated slightly, and
it's being used in HTML tags as well as body text.